HYPERFLEET-1019 - docs: add LeakTK secret scanning to pre-commit hooks#139
HYPERFLEET-1019 - docs: add LeakTK secret scanning to pre-commit hooks#139ldornele wants to merge 3 commits into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Central YAML (base), Organization UI (inherited) Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughSummary by CodeRabbit
WalkthroughThis pull request updates the pre-commit hooks documentation to introduce LeakTK as the new secret scanning solution. The changes expand prerequisites to include Go 1.25+ and btrfs development headers, add a new "Secret Scanning Hook" section describing the LeakTK hook, include a LeakTK repository block in the standard Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@hyperfleet/docs/pre-commit-hooks.md`:
- Around line 316-323: Update the migration doc to include CI/CD steps so repos
continue enforcing hooks: explicitly instruct CI pipelines to install LeakTK
prerequisites (Go 1.25+ and btrfs-progs-devel), build the LeakTK/pre-commit
binary (same build used by developers) and cache it between jobs, replace
references to rh-pre-commit with the new built pre-commit binary invocation, and
add a CI step that runs the pre-commit binary (mirroring the developer `make
install-hooks` behavior) while noting the one-time compilation cost and how to
use pipeline cache to avoid it; reference the terms rh-pre-commit, LeakTK, make
install-hooks, and pre-commit in the doc so maintainers can locate and update
pipeline configs accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: 2fef7d4f-54d0-423e-96e1-045f3c18332a
📒 Files selected for processing (1)
hyperfleet/docs/pre-commit-hooks.md
| Or via Homebrew on macOS: | ||
|
|
||
| ```bash | ||
| brew install btrfs-progs | ||
| ``` |
There was a problem hiding this comment.
Warning
Blocking
Category: Bug
brew install btrfs-progs doesn't exist on Homebrew — btrfs is a Linux-only filesystem (verified with brew search btrfs).
Per LeakTK's own build docs, btrfs-progs-devel is only needed when CGO_ENABLED=1. Setting CGO_ENABLED=0 removes the system dependency entirely and is the simplest path, especially for macOS.
Consider restructuring the prerequisite and migration sections to:
- Recommend
CGO_ENABLED=0as the default (no system deps needed, works on all platforms) - Keep the
btrfs-progs-devel/libbtrfs-devinstructions as a fallback for those who need CGO enabled - Remove the macOS
brew install btrfs-progsinstruction entirely
# Example: if using pre-commit and CGO_ENABLED=1, install btrfs headers
# Fedora/RHEL: sudo dnf install btrfs-progs-devel
# Ubuntu/Debian: sudo apt install libbtrfs-dev
# macOS: set CGO_ENABLED=0 (no btrfs package available)
|
|
||
| --- | ||
|
|
||
| ### Adding Pre-commit Hooks to a Repository |
There was a problem hiding this comment.
Tip
nit — non-blocking suggestion
Category: Inconsistency
This heading is at ### (h3) — the same level as the ### Step 1: through ### Step 7: below it, making them siblings instead of children. By contrast, the new ### Secret Scanning Migration section properly nests its children at #### (h4).
Consider changing the Step headings below to #### to nest them under this wrapper, matching the pattern used in the Secret Scanning Migration section.
There was a problem hiding this comment.
♻️ Duplicate comments (1)
hyperfleet/docs/pre-commit-hooks.md (1)
353-383:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd an explicit CI hook reinstallation step (
make install-hooks).Lines 353-383 update CI invocation and caching, but they still don’t explicitly tell CI to reinstall hooks via repo-standard
make install-hooks. That leaves migration behavior inconsistent across repos that rely on Makefile wrappers.Suggested doc patch
**Step 5: Update CI/CD pipelines** If your repository enforces hooks in CI, update your pipeline configuration to use LeakTK instead of rh-pre-commit. The following steps apply regardless of CI platform (Prow, GitHub Actions, GitLab CI, etc.): 1. **Ensure Go 1.25+ is available** in your CI environment - Verify with `go version` or install if needed 2. **Install pre-commit framework**: ```bash pip install pre-commit ``` + +3. **Reinstall hooks using the repo-standard target**: + ```bash + make install-hooks + ``` -3. **Cache the pre-commit environment** to avoid 3-5 minute LeakTK compilation on every run +4. **Cache the pre-commit environment** to avoid 3-5 minute LeakTK compilation on every run - Cache directory: `~/.cache/pre-commit/` - Cache key: tie to `.pre-commit-config.yaml` content (e.g., hash of the file) - This reduces subsequent runs from minutes to seconds -4. **Replace rh-pre-commit invocations** with pre-commit: +5. **Replace rh-pre-commit invocations** with pre-commit: ```bash # Before (rh-pre-commit) rh-pre-commit run --all-files # After (pre-commit with LeakTK) pre-commit run --all-files ```As per coding guidelines, "Migration from
rh-pre-commit→ LeakTK: replace the rh-pre-commit GitLab repo block with the LeakTK GitHub block, require developers/CI to reinstall hooks (make install-hooks) and ensure CI caches~/.cache/pre-commit/to avoid repeated compilation, then update CI invocation fromrh-pre-commit run --all-filestopre-commit run --all-files."🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@hyperfleet/docs/pre-commit-hooks.md` around lines 353 - 383, The doc update misses an explicit CI hook reinstallation step; add a new numbered step after installing pre-commit that instructs CI to run the repo-standard make target "make install-hooks" (and renumber subsequent steps), and mention that CI should hash or tie caching to ".pre-commit-config.yaml" and cache "~/.cache/pre-commit/" so LeakTK (referenced by name) is compiled once; also ensure the guidance replaces "rh-pre-commit" invocations with "pre-commit run --all-files" and call out the Makefile wrapper ("make install-hooks") so repos using that wrapper perform consistent hook installation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@hyperfleet/docs/pre-commit-hooks.md`:
- Around line 353-383: The doc update misses an explicit CI hook reinstallation
step; add a new numbered step after installing pre-commit that instructs CI to
run the repo-standard make target "make install-hooks" (and renumber subsequent
steps), and mention that CI should hash or tie caching to
".pre-commit-config.yaml" and cache "~/.cache/pre-commit/" so LeakTK (referenced
by name) is compiled once; also ensure the guidance replaces "rh-pre-commit"
invocations with "pre-commit run --all-files" and call out the Makefile wrapper
("make install-hooks") so repos using that wrapper perform consistent hook
installation.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: bff11411-e9dd-4ae1-bd88-c7a2cbd32faa
📒 Files selected for processing (1)
hyperfleet/docs/pre-commit-hooks.md
2 participants
Summary
Adds comprehensive documentation for LeakTK secret scanning as the recommended replacement for rh-pre-commit in HyperFleet repositories. LeakTK is an open-source secret scanning toolkit developed by Red Hat's
InfoSec team that removes VPN requirements while maintaining the same Gitleaks-based detection with Red Hat-specific patterns.
Changes Made
Documentation Updates
Added LeakTK secret scanning hook section
leaktk.git.pre-commitdetailsAdded migration guide: rh-pre-commit → LeakTK
Updated standard configuration
.pre-commit-config.yamltemplateAdded troubleshooting sections
Updated metadata
New References
Why This Change?
Benefits of LeakTK over rh-pre-commit
Trade-offs
Migration Impact
Who is affected?
Action Required
For new repositories: Use the updated
.pre-commit-config.yamltemplate from this documentation.For existing repositories using rh-pre-commit: Follow the migration guide in the "Secret Scanning Migration" section.